|
REDI REQUIREMENTS |
SAFETYSEND REDI ATTRIBUTES |
|
(1)Ensure the confidentiality, protection,
integrity, and availability of electronic data
(REDI), and communication information the entity
creates, receives, maintains, or transmits.
|
Allows the Client a secure method to transfer
confidential information (REDI) from
sender via interim custody and delivery.
Validates transfer of custody to authenticated
recipient at each interval. Provides remote
storage of in secure folders in an uncorrupted
form; transmission is via encrypted channel to a
verified recipient. |
|
(2) Protect against any reasonably specification
is a reasonable and appropriate safeguard in its
environment, when analyzed with reference to the
likely contribution to protecting the entity's
REDI;
|
Authentication is required to access any secured
data on the system. Each data exchange is
verified by the system during a documents
transfer of custody and summarily applied to an
audit trail. This dynamic authentication method
is established by the creation and use of a
personal password system including generation of
temporary passwords to assigned known
recipients. Timed “log out” protects against
unauthorized system access at defined intervals
or by manual exit. System provides automatic
virus filtering and updating; Spam filtering;
spyware removal on demand. |
|
(3) Protect against any reasonably anticipated
uses or disclosures of such information that are
not permitted or required.
|
Requires user authentication upon each timed
entrance to the secure communication system. |
|
(4) A System Administrator to ensure compliance
with this subpart by its workforce.
|
Sanction is established by the entity;
compliance is under purview of entity designated
“system administrator”. Executed at the
direction of the System Administrator by
SafetySend Client Services. |
|
(b)REDI - Flexibility of approach. |
|
|
(1) Entities can apply many security measures
that allow the entity to reasonably and
appropriately implement their standards and
implementation specifications as specified in
their policies and procedures.
|
Adaptable to evolution of GLB, HIPAA regulation
without need for software upgrades to individual
user terminals or computers. Adaptations are
implemented throughout the system to all users.
Changes or modification of regulations are
implemented for all client users as they become
law. Specific Corporate Security Directives may
also be applied. |
|
(2) In deciding which security measures to use,
a entity should review take into account the
following factors |
Specific policies and procedures are always the
responsibility of the regulated entity. Safety
Send provides the attributes for electronic
communication and a component to overall
Compliance to regulation.
|
|
(i) The size, complexity, and capabilities of
the covered entity.
|
Scalable to over 10,000 users in each domain or
larger size of operation when adapted without
regard to the number of authorized and
authenticated users. Message, document and image
size are unrestricted.
|
|
(ii) The covered entity's technical
infrastructure, hardware, and software security
capabilities.
|
Safety Send does not rely on the hardware or
software of the covered entity - operates on
proprietary code and secure servers established
specifically for this purpose.
|
|
(iii) The costs of security measures |
Clients are not charged for increased security
upgrades or modifications on an individual
basis. System upgrades, security improvements
and changes in functionality are implemented at
the secure server application and immediately
applied throughout the system |
|
(iv) The probability and criticality of
potential risks to REDI. |
Reduces the risk of loss probability with
identified controls of access and untraceable
dissemination. Access is limited; transmissions
are auditable; receipts are auditable; users are
authenticated and identifiable. |
|
REDI - Administrative safeguards. |
|
|
A covered entity is required to address
application of Administrative Safeguards in
accordance with Regulations. |
|
|
(1)(i) Standard: Security management process.
Implement policies and procedures to prevent,
detect, contain, and correct security
violations.
|
Security procedures are designed to detect and
record attempts at unauthorized access and
immediately notify network administrators of
excessive password violations, attempted
transfer of computer viruses, containment of
potentially harmful files and renders activities
to a security log. Individual tools are made
available to each user for the detection and
removal of viruses, spyware and other
compromising software from our main menu. |
|
(A) Risk analysis is required. Conduct accurate
and thorough assessment of the potential risks
and vulnerabilities to the confidentiality,
integrity, and availability of confidential and
protected information held by the covered
entity.
|
The secure network is only available to it’s
authenticated users; provides continuous
encryption of internal and external transmission
of REDI; conducts daily modification of
intrusion and invasion by outside parties by
conducting modification of code algorithms to
negate intrusion. SafetySend also provides
additional detection tools to assess potential
security vulnerabilities of each individual
computer |
|
(B) Risk management is required. Implement
security measures sufficient to reduce risks and
vulnerabilities to a reasonable and appropriate
level. |
Requires two levels of authentication initiate
user identification; multi-challenge
verification to change password. Use of
proprietary code; application of processing
algorithms, virus filters, and secure firewall
updated no less than once per day.
|
|
(C) Sanction policies are required. Entities
must apply appropriate sanctions against
workforce members who fail to comply with the
security policies and procedures of the covered
entity.
|
Sanction policy is established by the covered
entity on the SafetySend system – termination or
suspension is established by entity “system
administrator”. In the case of an individual
client or the identified violation by a client
user within the entity, the individual is
responsible for compliance with the policies and
procedures of Safety Send, Inc. that are in
concert with GLB and HIPAA. Violation of those
policies and procedures constitutes immediate
suspension of privileges to use the SafetySend
system. |
|
(D) Information system activity reviews are
required. Implement procedures to regularly
review records of information system activity,
such as audit logs, access reports, and security
incident tracking reports. |
Provides system activity review under an “audit
trail” by retained history of “secure”
transmissions outside the SafetySend system as
well as equal history transmissions within the
SafetySend system. |
|
(2) Standard: Assigned security responsibility.
Identify the security official who is
responsible for the development and
implementation of the policies and procedures
are required by regulation. |
The entity designates their “System
Administrator” who becomes the assigned
responsible party. This system administrator
has access to review, modify or suspend user
privileges.
|
|
(3)(i) Standard: Workforce security. Implement
policies and procedures to ensure that all
members of its workforce have appropriate access
to electronic confidential and protected
information, as provided under paragraph in this
section, and to prevent those workforce members
who do not have access under paragraph (a)(4) of
this section from obtaining access to electronic
confidential and protected information. |
Specific access is authorized by the System
Administrator. Non Access and Sanction policy
is established by the covered entity –
termination or exclusion is established by
entity “system administrator”. Authorized
access requires two levels of authentication
initiate client user identification; dual
identity verification to change password |
|
(ii) Implementation specifications: |
|
|
(A) Authorization and/or supervision must be
addressed. Implement procedures for the
authorization and/or supervision of workforce
members who work with electronic confidential
and protected information or in locations where
it might be accessed.
|
Authorization is addressed in (2) & (3)(i)(a)(4)
|
|
(B) Workforce clearance procedure must be
addressed. Implement procedures to determine
that the access of a workforce member to
electronic confidential and protected
information is appropriate.
|
System Administrator establishes clearance
procedure and authorizes access to system.
Individual client users self administrate. |
|
(C) Termination procedures that can restrict or
suspend and/or cancel access. Implement
procedures for terminating access to electronic
confidential and protected information when the
employment of a workforce member ends.
|
Non Access and Sanction policy is established by
the covered entity – termination or exclusion is
established by entity “system administrator”.
Authorized access to SafetySend requires two
levels of authentication initiate client user
identification; dual identity verification to
change password. System Administrator has
authority to deny access to any user. In the
case of an individual client or the identified
violation by a client user within the entity,
the individual is responsible for compliance
with the policies and procedures of Safety Send,
Inc. that are in concert with HIPAA and GLB.
Violation of those policies and procedures
constitutes immediate suspension of privileges
to use the SafetySend system. |
|
4)(i) Standard: Information access management.
Implement policies and procedures for
authorizing access to electronic protected
information that are consistent with the
applicable requirements of subpart E of this
part |
SafetySend policies & procedures consistent with
subpart E.
|
|
(ii) Implementation specifications: |
|
|
(A) Isolating clearinghouse functions is a
regulatory requirement. If a Financial / Health
Care clearinghouse is part of a larger
organization, the clearinghouse must implement
policies and procedures that protect the
electronic confidential protected information of
the clearinghouse from unauthorized access by
the larger organization.
|
SafetySend does not operate as a clearinghouse.
These policies and procedures are the specific
and may be unique to the entity.
|
|
(B) Access authorization must be addressed.
Implement policies and procedures for granting
access to electronic confidential protected
information, for example, through access to a
workstation, transaction, program, process, or
other mechanism.
|
Access to all information in the SafetySend
system requires two levels of authentication;
proper user identification and password; dual
identity verification to change password. The
use of proprietary code; application of
processing algorithms, virus filters, and anti
hacking shields are updated no less than once
per day.
|
|
(C) Access establishment and modification
(Addressable). Implement policies and procedures
that, based upon the entity's access
authorization policies, establish, document,
review, and modify a user's right of access to a
workstation, transaction, program, or process.
|
Sanction policy is established by the covered
entity – termination or exclusion is established
by entity “system administrator”. In the case
of an individual client or the identified
violation by a client user within the entity,
the individual is responsible for compliance
with the policies and procedures of Safety Send,
Inc. that are in concert. Violation of those
policies & procedures constitutes immediate
suspension of system
privileges.SafetySend requires two levels
of authentication to initiate client user
identification; dual identity verification to
change password.
|
|
(5)(i) Standard: Security awareness and
training. Implement a security awareness and
training program for all members of its
workforce (including management).
|
Users are notified on no less than on an annual
basis of the security requirement of GLB and
HIPAA at such times as those security
requirements may be amended. Acknowledgement is
required to avoid suspension of access to
SafetySend. |
|
(ii) Implementation specifications. Implement: |
|
|
(A) Security reminders must be addressed by
periodic security updates. |
Daily review and update of security components. |
|
(B) Protection from malicious software must be
addressed. Procedures for guarding against,
detecting, and reporting malicious software. |
Proprietary code guards against malicious
software and reports intrusion attempts to the
targeted user via constant monitoring and
exclusion of malicious software. Virus and Spam
filters are active. |
|
(C) Log-in monitoring must be addressed.
Procedures for monitoring log-in attempts and
reporting discrepancies.
|
Requires two levels of authentication to
initiate client user identification; dual
identity verification to change password. An 8
digit – alpha –numeric password is required to
enter the system. Failure to enter requires
confidential answers to two levels of specific
questions to acquire a temporary password, then
re-establishment of an active password.
|
|
(D) Password management must be addressed.
Procedures for creating, changing, and
safeguarding passwords.
|
An 8 digit – alpha –numeric password is required
to enter the system. SafetySend requires two
levels of authentication initiate client user
identification; dual identity verification to
change password. The use of proprietary code;
application of processing algorithms, virus
filters, and anti hacking shields are updated no
less than once per day.
|
|
(6)(i) Standard: Security incident procedures.
Implement policies and procedures to address
security incidents.
|
Authentication upon system entrance; verified
change of custody by receipt by established
password or temporary password to known
receiver; timed “log out” of the system at 20
minutes automatically or by manual exit;
automatic virus filtering and updating; spyware
removal on demand. Users are notified of
intrusion incident attempts. Non compliance
incidents by a user are suspended until
suspension is released by System Administrator. |
|
(ii) Implementation specification: Response and
Reporting is required. Identify and respond to
suspected or known security incidents; mitigate,
to the extent practicable, harmful effects of
security incidents that are known to the covered
entity; and document security incidents and
their outcomes.
|
Suspends and denies access by action of the
System Administrator or upon notification by the
System Administrator to any users suspected of a
security incident. Individual client users are
self administered under their own
responsibility. Should SafetySend be aware of a
security incident; access and use are suspended
immediately or within one day of notification
being the extent practicable.
|
|
(7)(i) Standard: Contingency plan. Establish
(and implement as needed) policies and
procedures for responding to an emergency or
other occurrence (for example, fire, vandalism,
system failure, and natural disaster) that
damages systems that contain electronic
protected health information.
|
Contingency plan for response to emergency or
occurrence for safeguarding REDI. Destruction or
damage to user and/or entity computers does not
destroy or deny access to PHI data on SafetySend
secure servers. SafetySend operates as “backup”
servers at a second location in the even of loss
or damage to primary client storage servers. |
|
(ii) Implementation specifications: |
|
|
(A) Data backup plan (Required). Establish and
implement procedures to create and maintain
retrievable exact copies of electronic protected
health information. |
Provides storage of REDI backup files in
retrievable “Secure Folders”. SafetySend is the
backup in two location sites for the entity or
individual client user.
|
|
(B) Disaster recovery plan is required.
Establish (and implement as needed) procedures
to restore any loss of REDI data. |
Secure backup servers at secondary locations
retrieve data in the event of a disaster.
SafetySend is the backup in two location sites
for the entity or individual client user.
|
|
(C) Emergency mode operation plan (Required).
Establish (and implement as needed) procedures
to enable continuation of critical business
processes for protection of the security of
electronic protected health information while
operating in emergency mode.
|
SafetySend is an ASP system – thereby allowing
continuation of operations from alternate
locations where Internet connections can be
made. Critical business processes can function
without interruption as long as Internet access
is available.
|
|
(D) Testing and revision procedures are required
to be addressed, A regulated entity is required
to Implement procedures for periodic testing and
revision of contingency plans.
|
SafetySend contingency plans are reviewed and
revised on a regular basis |
|
(E) Applications and data criticality analysis
(Addressable). Assess the relative criticality
of specific applications and data in support of
other contingency plan components.
|
SafetySend makes assessment of critical
applications on a regular basis.
|
|
(8) Standard: Evaluation. Perform a periodic
technical and non-technical evaluation, based
initially upon the standards implemented under
the regulation and subsequently, in response to
environmental or operational changes affecting
the security of the regulated REDI of health
and/or financial information that establishes
the extent to which an entity's security
policies and procedures meet the regulatory
requirements of this subpart.
|
SafetySend reviews all operational changes for
compliance prior to implementation and modifies
to compliance in the event of compliance changes
quarterly and no less than three times per year.
All servers are under physical security as well
as technical security provided by proprietary
code.
|
|
(b)(1) Standard: Business associate contracts
and other arrangements. A covered entity, in
accordance with the applicable HIPAA or GLB
regulation. A regulated entity may permit a
business associate to create, receive, maintain,
or transmit regulated electronic protected
information on the entity's behalf only if the
covered entity obtains satisfactory assurances,
in accordance with that the business associate
will appropriately safeguard the information. |
Compliance Guideline is available to Business
Associate Clients and their Clients as
documentation of applied Compliance policies
and procedures. |
|
(2) This standard may or may not apply with
respect to—
[application of a specific part and subpart is
determined by the regulated entity] |
|
|
(i) The transmission by a covered entity of
regulated electronic information to a health
care or financial service provider concerning
the treatment of an individual. |
Compliance Guideline is available to Business
Associate Clients and their Clients as
documentation of applied Compliance policies
and procedures. Facility Policies and Procedures
are covered by client user. |
|
(ii) The transmission of regulated electronic
information by a regulated financial entity,
association or health entity, group plan or an
HMO or health insurance issuer on behalf of a
group health plan to a plan sponsor, to the
extent that the requirements of regulation. |
Compliance Guideline is available to Entities
and Business Associate Clients and their Clients
as documentation of applied Compliance policies
and procedures. Facility Policies and Procedures
are covered by client user. |
|
(iii) The transmission of REDI from or to other
agencies providing the services is a financial
entity, agency or health plan that is a
government program providing public benefits, if
the requirements of the applicable regulation
are met. |
Compliance Guideline is available to Business
Associate Clients and their Clients as
documentation of applied Compliance policies
and procedures. Facility Policies and Procedures
are covered by client user. |
|
(3) A covered entity that violates the
satisfactory assurances it provided as a
business associate of another covered entity
will be in noncompliance with the regulatory
standards, implementation specifications, and
requirements of applicable regulations and
subject to penalties of the enforcing agencies
or departments |
Compliance Guideline is available to Business
Associate Clients and their Clients as
documentation of applied Compliance policies
and procedures. Facility Policies and Procedures
are covered by client user. |
|
(4) Implementation specifications: Written
contract or other arrangement (Required).
Document the satisfactory assurances required by
paragraph (b)(1) of this section through a
written contract or other arrangement with the
business associate that meets the applicable
requirements.
|
Compliance Guideline is available to Business
Associate Clients and their Clients as
documentation of applied Compliance policies
and procedures. Facility Policies and Procedures
are covered by client user. |
|
Physical safeguards. A covered entity must, in
accordance with specific regulation: |
Physical safeguards are under the control of
the regulated entity. |
|
(a)(1) Standard: Facility access controls.
Implement policies and procedures to limit
physical access to its electronic information
systems and the facility or facilities in which
they are housed, while ensuring that properly
authorized access is allowed. |
Compliance Guideline is available to Business
Associate Clients and their Clients as
documentation of applied Compliance policies
and procedures. |
|
(2) Implementation specifications: |
|
|
(i) Contingency operations are addressable with
the requirement to establish (and implement as
needed) procedures that allow facility access in
support of restoration of lost data under the
disaster recovery plan and emergency mode
operations plan in the event of an emergency. |
Compliance Guideline is available to Business
Associate Clients and their Clients as
documentation of applied Compliance policies
and procedures. All communication is retrievable
from Safety Send. |
|
(ii) Facility security plan (Addressable).
Implement policies and procedures to safeguard
the facility and the equipment therein from
unauthorized physical access, tampering, and
theft. (iii) Access control and validation
procedures (Addressable). Implement procedures
to control and validate a person's access to
facilities based on their role or function,
including visitor control, and control of access
to software programs for testing and revision. |
Compliance Guideline is available to Business
Associate Clients and their Clients as
documentation of applied Compliance policies
and procedures. Facility Policies and Procedures
are covered by client user.
|
|
(iii) Maintenance records (Addressable).
Implement policies and procedures to document
repairs and modifications to the physical
components of a facility which are related to
security (for example, hardware, walls, doors,
and locks). |
Compliance Guideline is available to Business
Associate Clients and their Clients as
documentation of applied Compliance policies
and procedures. Facility Policies and Procedures
are covered by the regulated entity or client
user. |
|
(b) Workstation use. Regulated entities are
required to Implement policies and procedures
that specify the proper functions to be
performed, the manner in which those functions
are to be performed, and the physical attributes
of the surroundings of a specific workstation or
class of workstation that can access electronic
protected health information. |
Compliance Guideline is available to Business
Associate Clients and their Clients as
documentation of applied Compliance policies
and procedures. Facility Policies and Procedures
are covered by client user. Specific procedures
are the responsibility of |
